[TriLUG] selinux vs.gitosis vs. apache

[David Brain]

Hi,

Have a look at the audit2allow command, I've used this in the past to
build a local SELinux policies to allow me to run things when
directories weren't in the expected locations (e.g running apache with
sites served of nfs).  It's not a quick process (typically requiring
several audit2allow runs, until you get the permissions squared up)
but it does at least let you keep some of the SELinux protections.

David.

On Tue, Sep 15, 2009 at 9:50 AM, Robert Dale <robdale at gmail.com> wrote:
> I'm trying to set up a git repository with gitosis and gitweb using the
> stuff that came with Fedora Core 11.  However, I can only get one or the
> other to work, not both at the same time because of some selinux context.
> Gitosis and repositories are in /home/git
>
> When gitosis is working, ssh access, gitweb fails with:
>
> SELinux is preventing the gitweb.cgi from using potentially mislabeled files
> git
> (user_home_dir_t). SELinux has denied the gitweb.cgi access to potentially
> mislabeled files git.
> This means that SELinux will not allow httpd to use these files. Many third
> party apps install html files in directories that SELinux policy cannot
> predict.
> These directories have to be labeled with a file context which httpd can
> access.
>
> So I execute the suggested command: chcon -t httpd_sys_content_t 'git'.
>
> Then I get similar message for gitosis, fix that, and maybe some more
> mucking around, gitweb finally works.
>
> When I get back to work and try to pull/push, I get prompted for the git
> user's password instead of using the keys.
> SElinux records this:
>
> SELinux is preventing sshd (sshd_t) "search" httpd_sys_content_t
>
> So it seems like I can't have both at the same time.  Any ideas?
>
> Thanks,
>
> --
> Robert Dale
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>